Skip to main content

Thoughts on the wannacry virus and the importance of starting assumptions

This was written just as a piece to see what happens to the potential outcome of a piece of analysis when basic assumptions change.  I’m not admitting whether I think any of the below is accurate (except for the facts I have taken from others’ primary forensic analysis).
More than enough has been written about the wannacry ransom attack, especially from a technical view point, and the post-attack analysis has made interesting reading in terms of ‘how’ this attack took place.  The quality of the forensic analysis has been pretty impressive – although some elements around attack vector still seem contested (or at least confusing to me.)
The reading on ‘who’ fashioned this attack has been less interesting in that it seems to have come to the conclusion it was North Korea on the basis of re-used code blocks and not much else from what I have read. 
The area that seems to have had even less analysis seems to be ‘why’.  It’s ransomware. it’s to make money.  I can almost see some of the people I know rolling their eyes in quiet desperation. Bear with me.  Why can sometimes help with the ‘who’ on the basis of ‘cui bono’ if nothing else.
What has struck me however is the fact that much of the discussion seems to have been based on the unquestioned assumption that this was about money. But something doesn’t seem to quite add up.
In the case of wannacry the problem is that if ransomware is to make money it’s just not very good ransomware – despite using what I understand to be an innovative and highly effective propagation mechanism (although more on that later).
So why isn’t it very good ransomware?  Well, firstly, the estimates I have seen suggest they have not made very much money out of it.  If that is the most effective measure of ransomware success, then wannacry would seem to fail.
Secondly, the inclusion of what seems to be a poorly thought out kill switch, which seems to have been the main reason why the spread was contained.  There are suggestions that this was a badly designed sandbox detection mechanism[1] and not a kill switch at all, but nevertheless, it has allowed the malware spread to stop.  This does raise the question of why a variant appeared that included a different domain name acting in the same way as the first. If it was clear that this technique was preventing success, then sending out a variant with the same technique embedded within it makes little sense. What I haven’t seen is whether there is any indication that any new variant is from the same criminals or whether it is someone taking a chance on getting a few dollars for not much work.
Third, the payment mechanism wasn’t particularly good with a limited number of hard coded bitcoin wallets (some reports say four and some say three) that would mean that any correlation between someone who paid and decryption would need to be done manually.   There seem to be two main public explanations for this; technical ineptitude or no intention ever to provide the promised decryption. The whole business model of kidnap and ransom (physical or virtual) would seem to be based on the belief that payment of the ransom will be honoured by the criminal.  Certainly in a repeatable virtual crime this would be fundamental to determining financial success.  This ransomware attack does not appear to have been designed to achieve financial success – at least not through ransom.
Of course, if we assume a financial motivation (and let’s at least be aware that it is an assumption) there are other ways to make money out of this sort of event.  Cyber-security company stocks, predictably, shot up in the immediate aftermath[2] (but have since fallen back quite a lot) and a plan that involved profiting from this would make some sense. I can only assume that somebody in law enforcement is already looking for unusual trades prior to the attack.  (I am not going to go down the route of suggesting that it was the cyber-security firms themselves who were responsible – most of them already seem to have a licence to print money – but any proper analysis should consider this possibility.)
However, we really should consider the hypothesis that this attack was not about making money in the first place.
The assumption that it is financial has led to the conclusion that it is a technically inept group responsible. 
However, if we assume a technically capable group as the perpetrators (rather than assume financial gain from ransom as the motive) then things potentially look somewhat different. With this new assumption:
·         Could the kill-switch be a deliberate design point to limit the spread of the malware - only disguised as a poorly thought out detection evasion system?
·         Instead of being a technical disaster, is the non-functional payment mechanism a deliberate attempt to damage the ransomware brand?
·         And the sloppy coding technique, is that just deliberate obfuscation of technical skill?
·         Could the choice of an exploit that took advantage of SMB and port 445 suggest that home users were explicitly excluded as a target?
The (welcome) rush to patch was of course also predictable and Microsoft had released a patch a month earlier (so a lot of scheduled upgrades would have taken place by the time the attack hit) and the attack did conveniently avoid year end, quarter end, or month end periods where the capability to implement changes might have been process limited. Microsoft’s ability to produce an XP patch in short order was clearly helpful but surprising given it has been out of support for so long.
It could also be argued that the one thing that wannacry has achieved above all else is raising awareness of the dangers of out of date and unpatched systems and as a result this could easily by the best thing to happen to UK IT infrastructure since we gave up on state support for ICL (if you’re not as old as me then you will have to look them up). Certainly the government’s NCSC seem to think it had value as a communications programme to “make people sit up and take notice...”[3] This must have been a relief, after the time and effort they have spent trying to get the message across both regarding the need for basis patching and the likelihood of a major event.
Once we change the assumption of financial motivation to an assumption of a high level of technical capability then there are completely new possibilities as to motivation and perpetrators.

Comments

Popular posts from this blog

Non-Academic Publishing

As part of the PhD process that is now (thank heavens) rapidly approaching its end, there have been several discussions suggesting that publishing some papers in 'respected academic journals' would be 'a good thing'.   There are a number of chapters in the PhD that could be carved out and turned into stand alone papers, but I have to be honest, after nearly four years, I am more likely to tear them out and burn them. 

I digress.

Having spent four years reading academic journals, I'm  not so sure about the value of contributing to them.  If I want to have a pointless debate about issues of definition I can do that when taking the kids to school. (This morning's starter for ten:  "Now that my son is 18 and technically an adult,does this mean my daughter is an only child?"  Son's view is no, daughter's view - well you can probably guess).

I digress again. 

The issue for me (and if you are one of my 12 regular twitter followers you will know this)…

AI and the Internet: Sometimes it feels like the 1990s again

Over the past few months I have been (as well as editing the thesis) looking at the world of Artificial Intelligence developments, mainly in relating to working it into a module on an undergraduate BA course called Technology and National Security. (That's the name of the module which is 13 two hour lectures and 13 two hour tutorials, covering everything from the nature of war, through military ethics, to robotics, drones and automated weapons, with a quick detour through cyber-security and global security governance.  Very interesting if intensely depressing subject matter. Much more on this module in posts over the next few months as I finish up the materials).

Anyway, the over-riding feeling I was getting when looking at the state of AI developments was that it was just like the commercialisation of the Internet in the 1990s.    In brief:

1. Nobody is too sure how it is going to play out in the long term. 

Just like the commercial Internet in the 1990s there is a huge question …

So why are the NCSC so relaxed about Huawei?

I am struggling to work out why the NCSC seems to wedded to their capability to mitigate risks associated with Huawei kit in the UK telecoms network.  The current argument is very much about the risks are less about being Chinese and more about being not very good. It's worth noting that this is not why HCSEC was set up in 2010 and is in fact only a concern that was first fully referenced in the 2016 Oversight Committee report so the argument is possibly somewhat disingenuous.

It may well be that the reasons are completely mundane - it is very embarrassing for GCHQ to admit that after ten years of saying they can mitigate the risks to start claiming they can't and their arguably petulant reaction to the RUSI report shows that they do not like being publicly embarrassed.

So why are the NCSC/GCHQ so relaxed about Huawei?  Some (fairly random) thoughts:

1. They really can mitigate the risk of Chinese equipment in the UK telecommunications infrastructure.  This is what they would …